b'                                                                     C-IN-FWS-0093-2002\n\n             United States Department of the Interior\n\n                              Office of Inspector General\n                                    Washington, D.C. 20240\n                                                                             March 26, 2003\n\nMemorandum\n\nTo:        Director, U.S. Fish and Wildlife Service\n\n\nFrom:      Roger La Rouche\n           Assistant Inspector General for Audits\n\nSubject:   Independent Auditors\xe2\x80\x99 Report on the U.S. Fish and Wildlife Service\xe2\x80\x99s\n           Financial Statements for Fiscal Years 2002 and 2001\n           (Report No. 2003-I-0039)\n\n        We contracted with KPMG LLP (KPMG), an independent certified public\naccounting firm, to audit the U.S. Fish and Wildlife Service\xe2\x80\x99s (Service) financial\nstatements as of September 30, 2002 and for the year then ended. The contract required\nthat KPMG conduct its audit in accordance with the Comptroller General of the United\nStates of America\xe2\x80\x99s Government Auditing Standards, the Office of Management and\nBudget\xe2\x80\x99s Bulletin 01-02 Audit Requirements for Federal Financial Statements, and the\nGeneral Accounting Office/President\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x99s Financial\nAudit Manual.\n\n        In its audit report dated January 10, 2003 (Attachment 1), KPMG issued a\nqualified opinion on the Service\xe2\x80\x99s financial statements for fiscal years 2002 and 2001.\nKPMG\xe2\x80\x99s opinion was qualified because the Service was unable to provide adequate\ndocumentation to support the general property, plant and equipment balances stated as\n$935 million as of September 30, 2002, and $881 million as of September 30, 2001.\nPreviously KPMG, in its report dated January 21, 2002, issued an unqualified opinion on\nthe Service\xe2\x80\x99s 2001 financial statements. Because of the problems identified above,\nKPMG\xe2\x80\x99s opinion on the 2001 financial statements is different from that previously\nexpressed. KPMG identified eight reportable conditions related to the following internal\ncontrols and financial operations: (1) processes, controls, and financial reporting relating\nto buildings, structures, and construction work in process, (2) financial reporting process,\n(3) reconciling transactions within the Service as well as with other Department of the\nInterior components, (4) controls, processes, and financial reporting relating to year-end\naccruals, (5) controls, processes, and financial reporting relating to capital equipment, (6)\nsecurity and general controls over financial management systems, (7) grant controls and\nprocesses over reporting requirements, and (8) IDEAS-Procurement Desktop controls.\nKPMG considers the first four reportable conditions to be material weaknesses. With\nregard to compliance with laws and regulations, KPMG found the Service noncompliant\nwith portions of the Federal Financial Management Improvement Act (FFMIA).\n\x0cSpecifically, KPMG reported that the Service\xe2\x80\x99s financial management systems were not\nin substantial compliance with Federal financial management systems requirements and\nFederal accounting standards.\n\n        In connection with the contract, we monitored the progress of the audit at key\npoints, reviewed KPMG\xe2\x80\x99s report and selected related working papers, and inquired of its\nrepresentatives. Our review, as differentiated from an audit in accordance with the\nGovernment Audit Standards, was not intended to enable us to express, and we do not\nexpress, an opinion on the Service\xe2\x80\x99s financial statements, conclusions about the\neffectiveness of internal controls, conclusions on whether the Service\xe2\x80\x99s financial\nmanagement systems substantially complied with the three requirements of FFMIA, or\nconclusions on compliance with laws and regulations. KPMG is responsible for the\nauditors\xe2\x80\x99 report and for the conclusions expressed in the report. Our review disclosed no\ninstances where KPMG did not comply in all material respects with the Government\nAuditing Standards.\n\n       In the March 7, 2003, response from the Deputy Director (Attachment 2), the\nService concurred with all ten findings. Based on the response all recommendations are\nconsidered resolved but not implemented. The recommendations will be referred to the\nAssistant Secretary for Policy, Management and Budget for tracking of implementation.\n\n      Section 5(a) of the Inspector General Act (5 U.S.C. App. 3) requires the Office of\nInspector General to list this report in its semiannual report to the Congress.\n\n\n\n\nAttachments (2)\n\x0c                                                                                                           ATTACHMENT\n                                                                                                         aAttachmnet\n                                                                                                         t\n\n\n\n           Suite 2700\n           707 Seventeenth Street\n           Denver, CO 80202\n\n\n\n\n                                                                          Independent Auditors\xe2\x80\x99 Report\n\n\nThe Director of the United States Fish and Wildlife Service and\n  the Inspector General of the Department of the Interior:\n\nWe have audited the accompanying consolidated balance sheets of the United States Fish and Wildlife\nService (the Service) as of September 30, 2002 and 2001, the related consolidated statements of net cost\nfor the years then ended, and the related consolidated statement of changes in net position, combined\nstatement of budgetary resources, and consolidated statement of financing for the year ended\nSeptember 30, 2002 (herein after referred to as the financial statements). The objective of our audits was to\nexpress an opinion on the fair presentation of these financial statements. In connection with our audits, we\nalso considered the Service\xe2\x80\x99s internal control over financial reporting and tested the Service\xe2\x80\x99s compliance\nwith certain provisions of applicable laws and regulations that could have a direct and material effect on its\nfinancial statements.\n\nSummary\nAs stated in our opinion on the financial statements, except for the effects on the 2002 and 2001 financial\nstatements of such adjustments, if any, as might have been determined to be necessary had we been able to\napply adequate procedures to general property, plant, and equipment, we concluded that the Service\xe2\x80\x99s\nfinancial statements as of and for the years ended September 30, 2002 and 2001, are presented fairly, in all\nmaterial respects, in conformity with accounting principles generally accepted in the United States of\nAmerica.\n\nAs discussed in note 16 to the financial statements, the Service restated its fiscal year 2001 consolidated\nbalance sheet and statement of net cost, and its beginning of fiscal year 2002 unobligated budgetary\nbalance. Also, as discussed in note 16 to the financial statements, the Service changed its method of\naccounting for allocation transfers as of October 1, 2001.\nOur consideration of internal control over financial reporting resulted in the following conditions being\nidentified as reportable conditions:\n\nReportable Conditions that are Considered to be Material Weaknesses\nA.    Processes, controls, and financial reporting relating to buildings, structures, and construction work in\n      process\n\nB.    Financial reporting process\nC.    Reconciling transactions within the Service as well as with other Department of the Interior\n      components\n\nD.    Controls, processes, and financial reporting relating to year-end accruals\n\n\n\n           KPMG LLP. KPMG LLP, a U.S. limited liability partnership, is\n           a member of KPMG International, a Swiss association.                        1\n\x0cOther Reportable Conditions\nE.    Controls, processes, and financial reporting relating to capital equipment\n\nF.    Security and general controls over financial management systems\n\nG.    Grant controls and processes over reporting requirements\n\nH.    IDEAS-Procurement Desktop controls\nThe results of our tests of compliance with the laws and regulations, exclusive of the Federal Fin ancial\nManagement Improvement Act of 1996 (FFMIA), disclosed no instances of noncompliance that are\nrequired to be reported herein under Government Auditing Standards, issued by the Comptroller General of\nthe United States, or Office of Management and Budget (OMB) Bulletin No. 01-02, Audit Requirements\nfor Federal Financial Statements.\n\nThe results of our tests of FFMIA disclosed instances where the Service\xe2\x80\x99s financial management systems\ndid not substantially comply with federal financial management systems requirements and federal\naccounting standards.\n\nThe following sections discuss our opinion on the Service\xe2\x80\x99s financial statements, our consideration of the\nService\xe2\x80\x99s internal control over financial reporting, our tests of the Service\xe2\x80\x99s compliance with certain\nprovisions of applicable laws and regulations, and management\xe2\x80\x99s and our responsibilities.\n\nOpinion on the Financial Statements\nWe have audited the accompanying consolidated balance sheets of the Service as of September 30, 2002\nand 2001, the related consolidated statements of net cost for the years then ended, and the related\nconsolidated statement of changes in net position, combined statement of budgetary resources, and\nconsolidated statement of financing for the year ended September 30, 2002.\n\nDuring our audit of the 2002 financial statements, we determined that as of September 30, 2002 and 2001,\nthe Service had not maintained customary records for its real property assets, which represent the majority\nof general property, plant, and equipment included in the Service\xe2\x80\x99s financial statements. As a result, it was\nnot practicable to extend our auditing procedures sufficiently to satisfy ourselves as to the accuracy,\ncompleteness and existence of general property, plant, and equipment stated at $935,384,000 and\n$880,634,000 in the accompanying consolidated balance sheets as of September 30, 2002 and 2001,\nrespectively. Such amounts enter into the determination of net position. We expressed an unqualified\nopinion on the Service\xe2\x80\x99s 2001 financial statements in our report dated January 21, 2002. Our opinion on\nthe 2001 financial statements, as presented herein, is different from that expressed in our previous report.\n\nIn our opinion, except for the effects on the 2002 and 2001 financial statements of such adjustments, if any,\nas might have been determined to be necessary had we been able to apply adequate procedures to general\nproperty, plant, and equipment, as discussed in the preceding paragraph, the financial statements referred to\nabove present fairly, in all material respects, the financial position of the Service as of September 30, 2002\nand 2001, its net costs for the years then ended, and its changes in net position, budgetary resources, and\nreconciliation of net costs to budgetary obligations for the year ended September 30, 2002, in conformity\nwith accounting principles generally accepted in the United States of America.\nAs discussed in note 16 to the financial statements, the Service restated its fiscal year 2001 consolidated\nbalance sheet and statement of net cost, and its beginning of fiscal year 2002 unobligated budgetary\nbalance. Also, as discussed in note 16 to the financial statements, the Service changed its method of\naccounting for allocation transfers as of October 1, 2001.\n\n\n\n                                                      2\n\x0cThe information in the management\xe2\x80\x99s discussion and analysis, required supplementary information and\nrequired supplementary stewardship information sections is not a required part of the financial statements,\nbut is supplementary information required by accounting principles generally accepted in the United States\nof America and OMB Bulletin No. 01-09, Form and Content of Agency Financial Statements. We have\napplied certain limited procedures, which consisted principally of inquiries of management regarding the\nmethods of measurement and presentation of this information. However, we did not audit this information\nand, accordingly, we express no opinion on it. The Service changed its method for calculating deferred\nmaintenance in fiscal year 2002 to make its estimate consistent with calc ulations made within the\nDepartment of the Interior. This method resulted in an increase in the deferred maintenance estimate.\n\nInternal Control Over Financial Reporting\nOur consideration of internal control over financial reporting would not necessarily disclose all matters in\nthe internal control over financial reporting that might be reportable conditions. Under standards issued by\nthe American Institute of Certified Public Accountants, reportable conditions are matters coming to our\nattention relating to significant deficiencies in the design or operation of the internal control over financial\nreporting that, in our judgment, could adversely affect the Service\xe2\x80\x99s ability to record, process, summarize,\nand report financial data consistent with the assertions by management in the financial statements.\nMaterial weaknesses are reportable conditions in which the design or operation of one or more of the\ninternal control components does not reduce to a relatively low level the risk that misstatements in amounts\nthat would be material in relation to the financial statements being audited may occur and not be detected\nwithin a timely period by employees in the normal course of performing their assigned functions.\n\nIn our fiscal year 2002 audit, we noted certain matters involving internal control over financial reporting\nand its operation that we consider to be reportable conditions. We believe that the following reportable\nconditions are material weaknesses.\n\nA.    Processes, Controls, and Financial Reporting Relating to Buildings, Structures, and\n      Construction Work in Process\n      The Service needs to improve processes and controls over the recording of buildings, structures, and\n      construction work in process as follows:\n\n      1.    Capitalization of Assets \xe2\x80\x93 The Service does not consistently capitalize real property.\n            Specifically, we determined that the Service capitalized stewardship land improvements that\n            should have been expensed and the Service expensed real property associated with\n            stewardship land that should have been capitalized. In addition, we determined that the Service\n            does not have adequate procedures to determine, at the inception of a lease, if the lease should\n            be accounted for as a capital or operating lease.\n      2.    Inventory Processes \xe2\x80\x93 The Service completes inventories as part of its annual data call to\n            confirm the accuracy, existence, and completeness of certain real property. We noted that the\n            physical inventory processes are not effective as they do not consistently identify acquisitions\n            and disposals that need to be reflected in the financial statements. We also noted that the\n            Service does not adjust the general ledger or Real Property Inventory (RPI) system based on\n            the inventory results in a timely manner.\n      3.    Acquisitions and Disposals \xe2\x80\x93 The Service does not consistently record real property\n            acquisitions and disposals in a timely manner. Specifically, we determined that the Service\n            expends a significant amount of time and resources identifying and recording real property\n            transactions after the end of the fiscal year. Furthermore, we noted that the Service does not\n            consistently maintain source documents to support the acquisition and disposal of real\n            property.\n\n\n                                                       3\n\x0c4.    Transfers and Donation \xe2\x80\x93 The Service does not have controls to ensure real property\n      transferred and donated to the Service is properly recorded.\n5.    Recording Depreciation \xe2\x80\x93 The Service has not established and implemented controls to\n      ensure depreciation starts when assets are placed in service and to ensure useful lives of real\n      property and improvements to real property are consistently applied for the purposes of\n      recording depreciation. In addition, the Service does not calculate or record depreciation until\n      the end of the year.\n6.    Reconciliation RPI to the General Ledger \xe2\x80\x93 The Service is not able to accurately and\n      efficiently reconcile RPI to the general ledger for real property.\nAs a result of these material weaknesses, the Service expended a significant amount of time and\nresources analyzing, counting, reconciling, and adjusting real property. Also, the Service had not\nmainta ined customary records for its real property assets, which represent the majority of general\nproperty, plant, and equipment included in the Service\xe2\x80\x99s financial statements. Consequently, it was\nnot practicable to extend our auditing procedures sufficiently to satisfy ourselves as to the accuracy,\ncompleteness, and existence of general property, plant, and equipment stated at $935,384,000 and\n$880,634,000 in the consolidated balance sheets as of September 30, 2002 and 2001, respectively.\n\nRecommendation\n1.    Capitalization of Assets\n      a.    We recommend that the Service develop a formal real property capitalization policy.\n            This policy should indicate the types of disbursements that should be capitalized,\n            expensed as acquisition and improvements to stewardship land, or expensed because\n            they are incidental to the acquisition of stewardship land.\n      b.    We also recommend that the Service establish procedures to determine, at the inception\n            of the lease, if the lease should be accounted for as a capital or operating lease.\n      c.    Further, we recommend that the Service communicate the real property policy and lease\n            procedures by providing training to the individuals implementing the real property\n            policy and lease procedures.\n\n2.    Inventory Processes\n      a.    We recommend that the Service improve its inventory processes to verify the accuracy,\n            existence, and completeness of real property. The Service should establish required\n            inventory policies and train individuals on how to perform inventories.\n      b.    We also recommend that the Service record adjustments to RPI and the general ledger as\n            a result of the inventory observations in a more timely manner.\n\n3.    Acquisitions and Disposals\n      a.    We recommend that the Service implement internal controls to ensure that real property\n            transactions are recorded in the subsidiary ledger and general ledger at the time the\n            financial event occurs and at the proper amount.\n\n      b.    We also recommend that the Service maintain source documents related to property,\n            plant, and equipment acquisitions and disposals.\n\n\n\n\n                                               4\n\x0c4.    Transfers and Donations \xe2\x80\x93 We recommend that the Service review accounting transactions\n      to ensure that assets transferred and donated to the Service are properly recorded. This should\n      include revising the procedures to properly record real property received from others.\n5.    Recording Depreciation \xe2\x80\x93 We recommend that the Service design, communicate, and\n      implement internal controls to ensure that depreciation begins when assets are placed in\n      service and that useful lives are consistently applied. The process should establish useful lives\n      of newly constructed/purchased real property, useful lives of property received and previously\n      owned by other entities, useful lives of improvements to property, and changes in useful lives\n      of improved property. The process should also include improving the communication between\n      the Division of Financial Management and the regions and field offices.\n6.    Reconciliation of RPI to the General Ledgers \xe2\x80\x93 We recommend that the Service reconcile\n      RPI to the general ledger on a quarterly basis, including resolving any reconciling items.\n\nManagement Response\nThe Service agrees with this finding and recognizes that improvements are necessary to record and\nreport its real property assets accurately and completely. As a consequence, the Service is working\non corrective actions designed to implement KPMG\xe2\x80\x99s recommendations.\n\n1.    Capitalization of Assets \xe2\x80\x93 The Service will establish policies for real and personal property\n      assets. The Service will also participate in Departmental work groups designed to improve\n      Department-wide policies and controls over property, plant, and equipment (PP&E).\n2.    Inventory Processes \xe2\x80\x93 The Service is committed to conducting a comprehensive review of the\n      RPI, validating and updating information in the database during FY 2003. This review\n      validates property information in the RPI from which financial data is derived, including\n      verifying acquisition year, construction year, acquisition cost or value, and disposals.\n      Additionally, the Service will standardize the RPI processes for the timely recording of\n      acquisitions and disposals in the RPI and the Federal Financial System (FFS) general ledger as\n      well as the maintenance of source documentation.\n3.    Acquisitions and Disposals \xe2\x80\x93 As part of the comprehensive review to the RPI, the Service\n      will evaluate existing documentation rela ted to real property acquisitions and disposals and\n      secure necessary support information for key data fields of the RPI. The Service will also\n      standardize processes for the timely recording of acquisitions and disposals in the RPI and FFS\n      as well as the maintenance of source documentation.\n4.    Transfers and Donations \xe2\x80\x93 As part of the comprehensive RPI review, the Service will revise\n      policies and standardize procedures governing entry of new data for transferred and donated\n      property into the RPI and FFS general ledger as well as the maintenance of source\n      documentation.\n5.    Recording Depreciation \xe2\x80\x93 The Service will develop policies and standardized processes for\n      the timely recording of acquisitions, disposals, transfers, and donations in the RPI. The Service\n      will also add key data fields to the RPI that will generate or calculate depreciation information\n      so that it is available on a quarterly basis.\n6.    Reconciliation of RPI to the General Ledger \xe2\x80\x93 As part of the overall actions described\n      above, the improvements to the Service\xe2\x80\x99s RPI policies and processes will result in more timely\n      and frequent reconciliations to assist in preparing accurate and complete financial statements.\n\n\n\n\n                                               5\n\x0cB.   Financial Reporting Process\n     In the prior year we reported a material weakness over internal controls for financial reporting. This\n     year we noted the Service made progress in implementing our recommendations including:\n\n     \xe2\x80\xa2     Performing regular account reconciliations and management reviews of various\n           reconciliations. Specifically, we noted that the Service performed reconciliations of\n           proprietary to budgetary accounts during fiscal year 2002; and,\n     \xe2\x80\xa2     Working with the Solicitors\xe2\x80\x99 Office to properly determine, accrue, and disclose environmental\n           clean-up liabilities.\n     While these steps improved the processes to in itiate and record financial transactions, the Service\n     still needs to continue to improve its controls and processes associated with accounting and financial\n     reporting. During our audit, we noted the following issues that result in financial reporting processes\n     continuing to be material weaknesses:\n\n     \xe2\x80\xa2     The Service\xe2\x80\x99s financial reporting process continues to be untimely, manually intensive, and\n           prone to some error. This weakness is due in part to the turnover in the financial reporting\n           section, which resulted in a lack of understanding of the financial reporting systems, OMB\n           Bulletin 01-09, standard financial statement crosswalks, and the Service\xe2\x80\x99s accounting\n           processes.\n     \xe2\x80\xa2     The statement of financing had unreconciled differences of $1 million.\n     \xe2\x80\xa2     Based on our interviews and test work, it appears that program, field, and regional offices\n           continue to primarily analyze transactions and reports on budgetary execution. Asset and\n           liability management and review of proprietary account information is primarily performed by\n           the Division of Finance, not program, field, and regional offices.\n     \xe2\x80\xa2     Service personnel coded numerous transactions to incorrect budget object classes (BOCs)\n           which map to standard general ledger (SGL) accounts. The BOCs track disbursements\n           according to type such as, but not limited to, compensation, benefits, travel, purchase of goods\n           and services from governmental agencies, and equipment and structures. In many instances,\n           the Service corrected the original incorrect postings through its review or reconciliation\n           processes; however, this practice is manually intensive and time consuming.\n     \xe2\x80\xa2     During the year the Service did not use proper posting models for transfers. For example, the\n           Service recorded approximately $600 million of transfers in; however, approximately $9\n           billion of activity went through the account during the year. The Service corrected the original\n           incorrect postings through its review and reconciliation processes; however, this practice was\n           manually intensive and time consuming.\n     \xe2\x80\xa2     The Service did not detect a debit balance of $25 million in accounts payable. This error was\n           due to inaccurate reversals of prior-year accruals. Also, the Service did not record\n           approximately $1 million of grant accruals.\n     \xe2\x80\xa2     The Service made entries directly to its equity accounts instead of reflecting corrections as\n           current-year activity or prior-period adjustments.\n     \xe2\x80\xa2     The Service could not prepare the Fund Balance with Treasury Balance note in an accurate and\n           timely manner.\n     \xe2\x80\xa2     We passed 31 audit differences identified during the audit. While we believe these entries are\n           not material to the financial statements taken as a whole of the Service, they do indicate\n           further financial reporting issues.\n\n\n                                                    6\n\x0c\xe2\x80\xa2     The Service does not maintain an audit trail for performing and reviewing reconciliations\n      between Hyperion and its feeder system, FFS. We noted that the Service\xe2\x80\x99s fourth quarter 2002\n      FFS upload resulted differences between FFS and Hyperion account balances which had to be\n      resolved through the course of the audit.\n\n\xe2\x80\xa2     Some journal entries for Hyperion are written in Excel by any of the Service\xe2\x80\x99s Hyperion users\n      (all Hyperion users can perform this function). Journal entries are required to be approved by\n      management, however, at the Service, such approvals were sometimes verbal, and therefore,\n      an audit trail does not exist. We also noted that journal entries are not consistently signed off\n      or otherwise noted that they have been entered.\n\nThe continued deficiencies in the Service\xe2\x80\x99s financial reporting process result from inadequate or\npoorly designed controls and systems, lack of appropriate training, and inadequate management\noversight of financial transactions.\n\nRecommendation\nThe Service should reevaluate its financial reporting process to improve its efficiency and\neffectiveness. The manual efforts currently required to generate financial statements should be taken\ninto consideration. The Service\xe2\x80\x99s evaluation should include, but not be limited to:\n\n1.    Reviewing Service policies and procedures to ensure that internal and external financial\n      reporting is accurate, complete, and timely.\n\n2.    Providing for adequate succession planning to ensure trained, knowledgeable resources are\n      available to prepare accurate and complete financial statements in a timely manner.\n3.    Assigning responsibility for posting models to ensure the Service uses the proper model and\n      avoids major clean-up.\n4.    Training Division of Finance, program and regional, and National Business Center personnel\n      on transaction coding, account analysis, and financial reporting. This training should also\n      ensure that personnel are adequately trained on the Hyperion financial reporting application.\n      The Service should enhance training of personnel responsible for coding and approving\n      disbursements to ensure these transactions are coded to the proper BOC and SGLs at the initial\n      transaction.\n5.    Developing periodic review processes by program managers and regional budget and finance\n      officers of FFS financial and budgetary information.\n6.    Consistently apply processes surrounding manual journal entries, including sign-off of Service\n      management indicating approval of each entry and sign-off of accountant making the entry.\n7.    Implement a process to reconcile FFS to Hyperion, which includes investigating and resolving\n      differences in a timely manner.\n\nManagement Response\nThe Service agrees tha t there are improvements that need to be made to its financial reporting\nprocesses and has taken steps to address KPMG\xe2\x80\x99s recommendations.\n1.    Reviewing Internal Policies and Procedures \xe2\x80\x93 The Service\xe2\x80\x99s Division of Financial\n      Management is currently developing internal procedures and checklists governing roles and\n      responsibilities, including account reconciliations, investigation and resolution for variances\n      and illogical balances, etc.\n\n\n                                               7\n\x0c     2.    Provide Adequate Succession Planning \xe2\x80\x93 The Division of Financial Management is\n           undergoing an intensive restaffing effort and has taken significant steps to ensure that its\n           personnel are knowledgeable and adequately trained to perform key financial statement\n           preparation functions. The Service is also participating in Departmental financial management\n           recruiting programs to ensure a regular succession of staff.\n\n     3.    Assign Responsibility for Posting Models \xe2\x80\x93 The Service has made the specific assignment of\n           updating and maintaining posting models to the Branch of Financial Statements within the\n           Division of Financial Management.\n\n     4.    Training Division of Financial Management, Regional, Program, and NBC Personnel \xe2\x80\x93\n           The Service continues its training efforts, initiated in FY 2001, for key personnel regarding\n           transaction coding, account analysis, and financial reporting. Further, Service management and\n           technical experts gained significant hands-on experience and enhanced key skill sets during\n           the FY 2002 financial reporting and audit cycle that will improve Service performance in FY\n           2003. The Service will develop a formal training plan for priority financial reporting and\n           transaction areas.\n\n     5.    Periodic Review Processes By Program Managers, Regional Budget, and Finance\n           Officers \xe2\x80\x93 The Service plans to establish Regional Chief Financial Officers to promote the\n           review of all financial management information. In addition, the Service will develop\n           checklists for Regional program and budget and finance personnel that will define reviews for\n           financial management information.\n\n     6.    Apply Consistent Processes for Manual Journal Entries \xe2\x80\x93 The Service will implement a\n           standard process for reviewing and approving manual journal entries involving review and\n           sign-off by Division of Financial Management supervisors.\n\n     7.    Audit Trail \xe2\x80\x93 Hyperion and FFS are fundamentally different systems, for both of which the\n           Department serves as the system owner. Without an electronic interface, reconciliation\n           between Hyperion and FFS is manual. The Service\xe2\x80\x99s audit trail consists of traceable corrective\n           actions to the upload file and adjusting journal entries to bring the two systems into alignment.\n           Until the Department provides an electronic interface to bureau end users, the Service must\n           continue its existing reconciliation operations.\n\nC.   Reconciling Transactions Within the Service as Well as With Other Department of the Interior\n     Components\n     As part of its reporting process, the Service is required to reconcile intrabureau activity and\n     intradepartmental transactions between other Department of the Interior (Department) bureaus\n     (referred to as trading partners). The Department and the Service have begun a process to reconcile\n     the intra-Departmental transactions on a quarterly basis; however, as of third quarter, the Service\xe2\x80\x99s\n     intrabureau activity was out of balance by $319 million and it had variances with other Department\n     bureaus totaling $20 million. As of the end of the fourth quarter, the Service\xe2\x80\x99s intrabureau activity\n     was out of balance by $486,000 and it had variances with other Department bureaus totaling $2.7\n     million. As part of the audit process, most of these differences were reconciled.\n     The Service\xe2\x80\x99s reconciliation process is a manual process and the Service currently does not have the\n     necessary resources focused on this condition. Variances within the Service accounts and between\n     trading partners are currently identified through a manual process, which includes entering\n     transaction data into Hyperion. This information is accessible by all Department bureaus. Although\n     the information is entered into Hyperion throughout the year, variances are not adequately reconciled\n     and resolved in a timely manner. It also appears as though some of the differences relate to\n     inconsistent posting models used by the Service.\n\n                                                    8\n\x0c     Variances within Service accounts and with trading partners indicate misstatements in financial\n     reporting at both the bureau and Department levels. Further, the majority of the reconciliations\n     continue to occur at year-end and encompass a significant amount of accounting staff time and\n     resources. The lack of devotion of time and resources to these areas may ultimately impact the\n     Service\xe2\x80\x99s ability to prepare reliable financial statements in a timely manner as timelines for financial\n     reporting continue to be expedited.\n\n     Recommendation\n     We understand that the Department is developing an automated process to facilitate the\n     reconciliation of intradepartmental transactions. Until the automated process is implemented, we\n     recommend that the Service improve its manual process to identify and reconcile the\n     intradepartmental transactions to address the material weaknesses. The reconciliation process should\n     be completed quarterly and include procedures to resolve any differences identified in a timely\n     manner.\n\n     Management Response\n     The Service concurs with the finding; however, the Service would like to point out that reconciling\n     intradepartmental transactions is a problem common to all Department bureaus. The Service\xe2\x80\x99s efforts\n     to reconcile transactions are often made more difficult because timely and accurate information is not\n     available from other bureaus. Until the planned Department-wide automated system for eliminating\n     intrabureau transactions is implemented, the elimination reconciliation process will remain a difficult\n     and resource intensive task for all bureaus.\n\nD.   Controls, Processes, and Financial Reporting Relating to Year-End Accruals\n     The Service did not properly accrue accounts payable at year-end. Based on our audit, the Service\n     made an adjustment of approximately $14 million to properly reflect accounts payable. The Service\n     also did not accrue liabilities for goods and services provided under reimbursable agreements and the\n     related accounts receivable totaling approximately $2.6 million.\n     The Service\xe2\x80\x99s process to record accounts payable at year-end relies on field stations and other\n     divisions to make accurate and complete accruals. Our test work and discussions with Service\n     personnel revealed these groups did not completely understand and execute the year-end closing\n     instructions related to accruals.\n\n     Recommendation\n     To address this material weakness, the Service should evaluate and revise, as applicable, its process\n     to accrue accounts payable at year-end. This evaluation should include, but not be limited to:\n     1.    Ensuring regional offices explain the accrual process to field stations and monitor execution of\n           year-end closing instructions relating to accruals.\n     2.    Consideration of alternative methods to accrue accounts payable at year-end that do not rely\n           on field stations to record individual invoices or projects.\n\n     Management Response\n     The Service is pursuing alternative methods for accruing accounts payable quarterly and at year-end\n     that do not rely on field stations recording individual invoices. The Service is also directly\n     participating in Department efforts to establish Department-wide policies and procedures governing\n     accruals. The Service will also work with KPMG by seeking their review and concurrence of newly\n     developed alternative methods.\n\n\n                                                     9\n\x0cWe noted the following reportable conditions that are not considered material weaknesses:\n\nE.    Controls, Processes, and Financial Reporting Relating to Capital Equipment\n      In the prior year, we reported a material weakness over internal control for capital equipment. This\n      year, we noted the Service made progress in implementing the recommendations including:\n\n      \xe2\x80\xa2     Implementing one personal property system for capital equipment, the Personal Property\n            Management System (PPMS).\n\n      The Service also made plans to implement changes for fiscal year 2003 to:\n\n      \xe2\x80\xa2     Apply consistent depreciation polices based on appropriate useful lives and acquisition dates.\n\n      \xe2\x80\xa2     Record the cost of capital equipment transferred to the Service from other federal agencies at\n            net book value.\n\n      \xe2\x80\xa2     Revise inconsistent salvage values.\n      While these steps improved the processes to initiate and record fixed assets, the Service needs to\n      continue to improve its controls and processes associated with the accounting for and reporting of\n      capital equipment. During our audit, we noted the following:\n\n      \xe2\x80\xa2     Neither PPMS or the FFS is completely accurate at year-end due to various reconciliation and\n            timing issues. These differences are not considered material to the financial statements of the\n            Service taken as whole; however, certain adjustments were made to correct the financial\n            statements.\n\n      \xe2\x80\xa2     Capitalized equipment deletions and additions are entered throughout the year and are\n            reconciled within the month they are entered into the PPMS on the Capitalized Equipment\n            Report. Capitalized equipment is recorded in the SGL monthly as it is entered into FFS;\n            however, both systems are reconciled at year-end.\n\n      \xe2\x80\xa2     The Service recorded corrections to capital equipment through current-year activity without an\n            evaluation as to the impact to prior-year recorded amounts. For example, certain regions\n            changed the acquisition cost of capital equipment. Such changes were treated as current period\n            changes in the financial statements and not evaluated for prior-period impact. Deletions were\n            also not evaluated for prior-period impact.\n      \xe2\x80\xa2     Certain regions did not enter capital equipment items into the PPMS in a timely manner. End\n            of year PPMS amounts are used to record capital equipment in the FFS. The delay in entering\n            capital equipment information into PPMS may result in assets being entered into PPMS in\n            fiscal year 2003 that were received by the Service in fiscal year 2002. Since the Service\n            records capital equipment based on information in PPMS, this may result in assets not being\n            reflected in the financial statements in the proper fiscal year.\n      \xe2\x80\xa2     One region recorded the acquisition date in PPMS as the date the assets were entered into the\n            system instead of the date the asset was received.\n      Recommendation\n      We recommend the Service continue its efforts to evaluate and revise, as applicable, its processes for\n      acquiring, tracking, and reporting capital equipment. Specifically, the Service should :\n\n\n\n\n                                                    10\n\x0c     1.    Work towards quarterly reporting of capital equipment. Specifically, the Division of Financial\n           Management should post acquisitions and dispositions as well as depreciation to FFS on a\n           periodic basis throughout the year.\n     2.    Ensure implementation of planned fiscal year 2003 changes to transfer values, salvage values,\n           and depreciation policies.\n     3.    Ensure corrections to capital equipment are evaluated as prior-period adjustments as\n           applicable.\n\n     4.    Ensure timely entry of capital equipment items into PPMS.\n     5.    Improve the reconciliation performed by the Division of Financial Management of PPMS to\n           FFS to ensure all reconciling items are identified and adequately supported.\n\n     Management Response\n     The Service is committed to using a continually updated personal property system that contributes\n     timely information to the quarterly financial statement preparation process. We appreciate KPMG\n     acknowledging Service improvements and advancements in achieving this goal. The Service will\n     continue to perfect quarterly reconciliation processes, including identifying all necessary information\n     that must be kept in the Service\xe2\x80\x99s PPMS and exploring automated means of reconciliation between\n     PPMS and FFS. Also, the Service will develop guidelines to assist regional property managers to\n     record identified information into PPMS properly and timely and to use IDEAS to track new\n     equipment purchases for proper entry into PPMS and FFS.\n\nF.   Security and General Controls over Financial Management Systems\n     The Service has made recent improvements in the security and controls over its information systems;\n     however, controls still need to be improved in the areas described below, as required by OMB\n     Circular A-130, Management of Federal Information Resources. These conditions could affect the\n     Service\xe2\x80\x99s ability to prevent and detect unauthorized changes to financial information, control\n     electronic access to sensitive information, ensure that data and system integrity is achieved, and\n     protect its information resources.\n     During our audit, we noted the Service improved its security related personnel policies and\n     procedures as well as computer security training. The Service also improved its policies and\n     procedures governing National Communications Center functions. Finally, the Service improved\n     certain aspects of its network security though configuration management. However, we did note the\n     following areas in which controls still need to be improved.\n     1.    Entity-Wide Security Program and Planning : An entity-wide security program, including\n           security policies and a related implementation plan, is the foundation of an entity\xe2\x80\x99s security\n           control structure and a reflection of senior management\xe2\x80\x99s commitment to addressing security\n           risks. As outlined in OMB Circular A-130, an effective security program includes a risk\n           assessment process, a certification process, and an effective incident response and monitoring\n           capability. The Service does not have a comprehensive entity-wide security program that\n           identifies established security plans, security program management and related personnel, as\n           well as ongoing management of security policies and procedures. Specifically, the Service has\n           not:\n\n           \xe2\x80\xa2     Implemented an effective entity-wide security program that includes a centralized\n                 security structure, a comprehensive incident handling program, addresses system\n                 software ownership, a standard for the Statement of Responsibility process, a process for\n\n\n                                                    11\n\x0c           prompt user access removal from all Service systems, and performance of background\n           checks and completion of nondisclosure statements; and,\n     \xe2\x80\xa2     Established a current, comprehensive security plan that addresses user account\n           administration.\n2.   Access Controls: Access controls should provide reasonable assurance that computer\n     resources (data files, application programs, and computer-related facilities and equipment) are\n     protected against unauthorized modification, disclosure, loss, or impairment. The objectives of\n     limiting access are to ensure that: (1) users have only the access needed to perform their\n     duties; (2) access to very sensitive resources, such as security software programs, is limited to\n     very few individuals; and (3) employees are restricted from performing incompatible functions\n     or functions beyond their responsibilities. The Service did not have adequate controls to limit\n     or detect access to certain information systems in order to protect against unauthorized\n     modification, loss, and disclosure of data. We noted:\n\n     \xe2\x80\xa2     Lack of implemented control measures to ensure that access to data is properly\n           controlled;\n     \xe2\x80\xa2     Weaknesses with the configuration of the Service\xe2\x80\x99s intranet security architecture;\n     \xe2\x80\xa2     Improperly configured web servers permitted unauthorized access to the internal\n           network;\n     \xe2\x80\xa2     Unauthorized access to the internal network provided full control over a server; and\n     \xe2\x80\xa2     Weaknesses in internal access control and password management.\n3.   Software Development and Change Controls: Establishing controls over the modification of\n     application software programs helps to ensure that only authorized programs and authorized\n     modifications are implemented. Without proper controls, there is a risk that security features\n     could be inadvertently or deliberately omitted or \xe2\x80\x9cturned-off,\xe2\x80\x9d or that processing irregularities\n     could be introduced. The Service has not established a current, comprehensive system life\n     cycle that describes a standard methodology, a detailed software and application software\n     change management process, and software testing procedures.\n4.   Segregation of Duties: Segregation of duties is important to ensure the division of roles and\n     responsibilities and steps in critical functions are designed in information systems so that no\n     one individual can undermine the process. We noted weaknesses in the Service\xe2\x80\x99s segregation\n     of duties surrounding:\n\n     \xe2\x80\xa2     Regional security managers performing primary and secondary security functions; and,\n     \xe2\x80\xa2     Technology support staff performing change management responsibilities and network\n           monitoring.\n5.   Service Continuity: Losing the capability to process, retrieve, and protect information\n     maintained electronically could significantly impact the Service\xe2\x80\x99s ability to accomplish its\n     mission. Thus, procedures should be in place to protect information resources, minimize the\n     risk of unplanned interruptions, and recover critical operations should interruptions occur. To\n     mitigate the risk of service interruptions, the Service needs to implement comprehensive,\n     tested Continuity of Operations Plans to protect resources, minimize the risk of unplanned\n     interruptions, and to recover critical operations.\n6.   Hyperion Application: We noted that there is not an appropriate segregation of duties for\n     general user access within the Service\xe2\x80\x99s Hyperion-Enterprise application database. Currently,\n     all users within the Service\xe2\x80\x99s application database have the same level of access, granting them\n\n                                             12\n\x0c      the abilities to: 1) upload and process quarterly financial data, 2) create, change and delete all\n      manual journal entries, and 3) create, change and delete all user/system generated reports.\n      Also, all Hyperion users have the ability to view the Hyperion activity log which logs all login,\n      data load, journal posting, edit check, and consolidation procedure. However, Service\n      management does not periodically review this log for unusual activity.\n\nRecommendation\nWe recommend that the Service develop and implement a formal action plan to improve the security\nand general and application controls over its financial management systems. This plan should\naddress each of the areas discussed above, as well as other areas that might impact the information\ntechnology control environment to ensure adequate security and protection of the Service\xe2\x80\x99s financial\nmanagement systems.\n\nManagement Response\nWe agree with the general finding that the Service needs to improve security and general controls\nover its information/financial management systems.\nKPMG acknowledges that the Service has made improvements in the security and controls over its\ninformation systems, security-related personnel policies, computer security training, as well as\nsecurity policies and procedures at the National Communications Center. The Service will continue\nto move in the direction of complete compliance with OMB Circular A-130, Management of Federal\nInformation Systems, as quickly as possible. Toward this goal, the Service has published updated\nofficial policy manuals that describe: the overall Service Information Technology Architecture\n(SITA); planning and managing information technology (IT) capital investments; policies and\nprocedures for IT governance; management control reviews for automated information systems; data\nstandards and data management practices; and policies, procedures, and responsibilities for the\nService entity-wide IT security program.\nHaving established official policy, procedures, and guidance for effective security and general\ncontrols over information systems, we have the following comments for the categories cited in this\nreport:\n\n1.    Entity-wide Security Plan \xe2\x80\x93 The Service established an entity-wide security program and\n      security planning guidelines through the publication of Information Technology Manual titled\n      \xe2\x80\x9cAutomated Information System Security\xe2\x80\x9d in September 2002. The Service formed a new\n      Branch of Security Management with responsibility for oversight of the Service\xe2\x80\x99s IT security\n      program. To ensure full Service program and regional compliance with the Service\xe2\x80\x99s IT\n      security program as established in official policy, the Service will develop and issue technical\n      bulletins containing standards and guidance.\n2.    Access Controls \xe2\x80\x93 Weaknesses identified in Service web server and internal network\n      configuration have been addressed. The Service believes other weaknesses identified by\n      KPMG on the internal network are not a significant security threat, but we are pursuing\n      alternative configuration methods and procedures. The Service will also inform all system\n      owners and managers of major applications (MA) and general support systems (GSS) that they\n      are required to complete and effect security plans per Service policy.\n\n3.    Software Development and Change Control \xe2\x80\x93 The Service has issued policy governing\n      Automated Information Systems Capital Planning and Management which clarifies\n      responsibilities for system owners and managers including configuration management and\n      change control. The Service will publish additional technical bulletins for system owners and\n      managers that provide a more detailed System Development Life Cycle (SDLC) methodology.\n\n\n                                               13\n\x0c     4.    Segregation of Duties \xe2\x80\x93 The Service partially disagrees with the audit findings concerning\n           segregation of duties. The Service believes the program offices cited in the findings have\n           provided for adequate separation of duties in their security plans and procedures based on the\n           limited staff available. The system owners accept any residual risk. Further, such residual risk\n           is unlikely to affect the integrity of financial management systems. The Service has issued\n           official policy governing Automated Information System Security. The Service is planning to\n           provide system owners and managers with appropriate guidance for self-review concerning\n           segregation of duties.\n     5.    Service Continuity \xe2\x80\x93 The Service will issue a technical bulletin to provide guidance and\n           procedures for the proper preparation of continuity of operations plans and/or business\n           resumption plans.\n     6.    Hyperion Application \xe2\x80\x93 While the Department of the Interior is responsible for core security\n           of Hyperion and the server environment, KPMG\xe2\x80\x99s findings address the Service\xe2\x80\x99s use of the\n           Hyperion application, with particular emphasis on control of access to Hyperion by Service\n           employees, on whether the Service has provided an adequate audit trail with this application,\n           and on whether the Service has adequate segregation of duties during its use:\n           a.    Access control of the Hyperion application \xe2\x80\x93 The Service maintains a list of input\n                 activity; and employee access granted by Department officials generally is reviewed and\n                 approved by Service management. Also, an activity log is reviewed to monitor employee\n                 access and access purpose and activity is approved by Service management. Thus, the\n                 Service believes that the Service has adequate controls over Service employee access;\n                 however, there have been a few instances where the Department has provided employee\n                 access to Service records and did so by circumventing the Service\xe2\x80\x99s approving official.\n                 We are working with the Department on ensuring that such circumvention does not\n                 occur again.\n           b.    Segregation of duties \xe2\x80\x93 Preparing journal entries in software compatible with the\n                 Hyperion application was part of the Service\xe2\x80\x99s effort to automate the journal voucher\n                 process. With thousands of lines of property, accruals, and corrections, the Service\n                 designed controls concomitant with available resources. Since the Service has completed\n                 it staffing plan and hired appropriate staff as discussed under B. above, the Service has\n                 assigned responsibilities among several knowledgeable staff in a manner where we\n                 believe we have adequate separation of duties. Also, with the addition of staff,\n                 operational processes now require journal vouchers to be initialed by the preparer and\n                 signed by the approving official.\n\nG.   Grant Controls and Processes Over Reporting Requirements\n     The Federal Aid in Sport Fish and Wildlife Restoration Act was created to fund restoration efforts\n     for the benefit of fish, wildlife, and the American people. The Service\xe2\x80\x99s Division of Federal Aid\n     makes funds available from these appropriations to eligible state agencies in the form of grants.\n     Receipt of these grants require certain financial and performance reporting at interim periods for the\n     grant and at its close.\n     During our test work, we noted that the Service did not receive SF-269 Financial Status Reports in a\n     timely manner. Our test work revealed 103 overdue reports as of September 30, 2002. A majority of\n     these were due as of year-end; however, 26 reports were due prior to this time. We also noted 6\n     instances in our sample of 45 items in which the States did not request filing extensions and filed the\n     SF 269s past the 90-day timeframe.\n\n\n\n                                                    14\n\x0c     We also noted the Service did not receive performance reports within the 90 days of the close of the\n     grant. Our test work revealed approximately 170 overdue performance reports at September 30,\n     2002; 22 of these reports were due prior to the Federal Aid Information Management System\n     (FAIMS) conversion on January 1, 1999. These performance reports are used in part to monitor grant\n     performance and also generate capital investment disclosure information for the Service\xe2\x80\x99s investment\n     in nonfederal physical property.\n\n     While the Division of Federal Aid has made efforts to request reports from states after they become\n     delinquent, it has not performed sufficient monitoring to ensure state s submit required Performance\n     Reports and SF-269 Financial Status Reports in a timely manner.\n     SF-269 Financial Status Reports are used to properly record grant expense in the FAIMS and receipt\n     of these reports also triggers deobligation of funds at the close of grants. Failure to receive reports in\n     a timely manner could result in a misstatement of the Service\xe2\x80\x99s financial statements. Performance\n     reports are the primary source for required disclosure of investments in nonfederal physical property.\n     As a result of not obtaining such reports in a timely manner, the Service\xe2\x80\x99s required supplementary\n     information may be incomplete.\n\n     Recommendation\n     The Division of Federal Aid should ensure that Performance Reports and SF-269 reports are\n     obtained and entered into FAIMS in a timely manner. The Service should consider implementing\n     remedies available in Code of Federal Regulations Section 43 in order to increase state compliance\n     with reporting provisions.\n\n     Management Response\n     The Service agrees with this finding and is completing action plans designed to accommodate\n     KPMG\xe2\x80\x99s recommendations. Further, the Service will explore all available options to encourage\n     States to comply timely with financial and performance reporting requirements in a manner that\n     improves the information available for the Service\xe2\x80\x99s financial statements.\n\nH.   IDEAS-Procurement Desktop Controls\n     The IDEAS-Procurement Desktop (IDEAS-PD) is used by the Service to process obligations. The\n     reconciliation process surrounding the IDEAS-PD and access controls over the system needs\n     improvement. We noted that:\n\n     \xe2\x80\xa2     The Citrix-based interface between IDEAS-PD and FFS does not consistently complete\n           interface transactions. An individual user attempting an interface transaction is notified when\n           the interface transaction has reje cted; however, the Service has not established a formal\n           process to reconcile obligations in IDEAS-PD to FFS;\n     \xe2\x80\xa2     Numerous users have access to databases outside their region;\n     \xe2\x80\xa2     Generic accounts are used; and,\n     \xe2\x80\xa2     IDEAS-PD does not have an approved risk assessment, security plan, or contingency plan in\n           place.\n     We also noted that IDEAS-PD has not been formally authorized by the Service\xe2\x80\x99s Division of\n     Contracting and Facilities Management for use in the Service. This authorization normally occurs via\n     an accreditation from system owners. The application is used in markedly different ways across the\n     Service. For example, some regions use the electronic Purchase Request (PR) feature whereas other\n     regions pick up the procurement transaction from the approved and certified paper PR.\n\n\n\n                                                     15\n\x0c      The cause of some of the issues noted above is that the Service replicated all databases in each region\n      when IDEAS-PD moved from the centralized National Business Center (NBC) application hosting to\n      the regional client-server architecture. This move, along with the resulting attempts to clean and\n      administer the mirrored databases locally, resulted in users with access to other regions\xe2\x80\x99 databases\n      and the use of generic accounts.\n\n      We noted that field stations and other cost centers are responsible for ensuring obligations are\n      properly posted to FFS; however, there is no consolidated reconciliation process of IDEAS-PD and\n      FFS. Currently, reporting from FFS has not been established to facilitate this reconciliation process.\n      Once such a report is in place, and the Service indicated that reconciliations for FY 2001 and 2002\n      will be performed. If the interface between IDEAS-PD and FFS is inconsistent, the Service\xe2\x80\x99s\n      obligations may be misstated. These misstatements may be exacerbated by the regions using the\n      application differently.\n\n      Recommendation\n      We recommend that the Service, at a minimum, take the following steps to improve controls over\n      IDEAS-PD:\n\n      1.    Continue to isolate the problems with the Citrix-based interface from IDEAS-PD to FFS.\n\n      2.    Complete the reconciliation process of initial obligations.\n      3.    Ensure access is appropriate to regional databases and the specific job responsibilities of the\n            regional users.\n\n      4.    Eliminate the use of generic user IDs.\n\n      5.    Proceed with the formal OMB Circular A-130 Major Application compliance process.\n\n      Management Response\n      The Service will work to improve its operational guidelines and procedures and to monitor their\n      execution with the goal of automating reconciliation with FFS and PPMS. Also, the Service will\n      continue its efforts to refine security features of IDEAS-PD consistent with Service and\n      Departmental security plans.\n\nA summary of the status of prior-year reportable conditions is included as exhibit I.\nWe also noted other matters involving internal control over financial reporting and its operation that we\nhave reported to the management of the Service in a separate letter dated January 10, 2003.\n\nCompliance With Laws and Regulations\nThe results of our tests of compliance with certain provisions of laws and regulations described in the\nresponsibilities section of this report, exclusive of FFMIA, disclosed no instances of noncompliance that\nare required to be reported herein under Government Auditing Standards or OMB Bulletin No. 01-02.\n\nThe results of our tests of FFMIA disclosed instances, described below, where the Service\xe2\x80\x99s financial\nmanagement systems did not substantially comply with the federal financial management systems\nrequirements and federal accounting standards.\nI.    Federal Financial Management Systems Requirements \xe2\x80\x93 As discussed in the section of our report\n      entitled Internal Control over Financial Reporting, the Service needs to improve its information\n      technology security and general control environment. As a result, the Service does not substantially\n\n\n                                                     16\n\x0c      comply with the information technology security and general control requirements of OMB Circular\n      A-130, Management of Federal Information Resources.\nJ.    Federal Accounting Standards \xe2\x80\x93 The Service is required to prepare its financial statements in\n      accordance with federal accounting standards. As discussed in the section of this report entitled\n      Internal Control over Financial Reporting, we identified material weaknesses related to buildings,\n      structures, and construction work in process, financial reporting, reconciliation of intrabureau\n      activity and intradepartmental transactions and accounts payable. The foregoing material weaknesses\n      in internal control are also an indicator of noncompliance with FFMIA provisions relating to federal\n      accounting standards.\n\nRecommendation\n1.    We recommend that the Service take the necessary actions to improve information technology\n      security and general controls over its financial management systems in accordance with requirements\n      set forth in OMB Circular A-130 in fiscal year 2003.\n\n2.    We recommend that the Service strengthen its procedures and internal control to ensure that\n      buildings, structures, and construction work in process is fairly stated, its financial reporting process\n      is improved, its intrabureau activity and intradepartmental transactions are reconciled, and accounts\n      payable are recorded in accordance with federal accounting standards.\nThe results of our tests of FFMIA disclosed no instances in which the Service\xe2\x80\x99s financial management\nsystems did not substantially comply with the United States Government Standard General Ledger at the\ntransaction level.\n\nManagement Response\nThe Service has made substantial improvements in IT security policy and controls to comply with OMB\nCircular A-130, Management of Federal Information Resources, but acknowledges that it needs to make\nfurther progress. In our response to the recommendations in section F., the Service explains how it intends\nto achieve full compliance, with the goal to address all previous findings of noncompliance, as well as to\npro-actively bring all offices, programs and systems in the Service into complete A-130 compliance in FY\n2003.\nThe Service believes that the corrective actions outlined under sections A., B., and D. will implement\nKPMG\xe2\x80\x99s recommendations and will address the finding of noncomplia nce with federal accounting\nstandards.\n\nResponsibilities\nManagement\xe2\x80\x99s Responsibilities\nThe Government Management Reform Act (GMRA) of 1994 requires each federal agency to report\nannually to Congress on its financial status and any other information needed to fairly present its financial\nposition and results of operations. To assist the Department of the Interior in meeting the GMRA reporting\nrequirements, the Service prepares annual financial statements.\n\nManagement is responsible for the financial statements, which includes:\n\n\xe2\x80\xa2     Preparing the financial statements in conformity with accounting principles generally accepted in the\n      United States of America;\n\xe2\x80\xa2     Establishing and maintaining internal controls over financial reporting, and preparation of the\n      management\xe2\x80\x99s discussion and analysis (including the performance measures), required\n      supplementary information, and required supplementary stewardship information; and\n\n                                                      17\n\x0c\xe2\x80\xa2     Complying with laws and regulations, including FFMIA.\nIn fulfilling this responsibility, estimates and judgments by management are required to assess the expected\nbenefits and related costs of internal control policies. Because of inherent limitations in internal control,\nmisstatements, due to error or fraud, may nevertheless occur and not be detected.\n\nAuditors\xe2\x80\x99 Responsibilities\nOur responsibility is to express an opinion on the financial statements of the Service based on our audits.\nExcept as disclosed in the second paragraph of our opinion on the financial statements, we conducted our\naudits in accordance with auditing standards generally accepted in the United States of America, the\nstandards applicable to financial audits contained in Governmental Auditing Standards issued by the\nComptroller General of the United States and OMB Bulletin No. 01-02. Those standards and OMB\nBulletin No. 01-02 require that we plan and perform the audits to obtain reasonable assurance about\nwhether the financial statements are free of material misstatement.\nAn audit includes:\n\xe2\x80\xa2     Examining, on a test basis, evidence supporting the amounts and disclosures in the financial\n      statements;\n\xe2\x80\xa2     Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2     Evaluating the overall financial statement presentation.\nWe believe that our audits provide a reasonable basis for our opinion.\nIn planning and performing our fiscal year 2002 audit, we considered the Service\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of the Service\xe2\x80\x99s internal control, determining whether\ninternal controls had been placed in operation, assessing control risk, and performing tests of controls in\norder to determine our auditing procedures for the purpose of expressing our opinion on the financial\nstatements. We limited our internal control testing to those controls necessary to achieve the objectives\ndescribed in OMB Bulletin No. 01-02 and Governmental Auditing Standards. We did not test all internal\ncontrols relevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity\nAct of 1982. The objective of our audit was not to provide assurance on internal control over financial\nreporting. Consequently, we do not provide an opinion thereon.\nAs required by OMB Bulletin No. 01-02, we considered the Service\xe2\x80\x99s internal control over required\nsupplementary stewardship information by obtaining an understanding of the Service\xe2\x80\x99s internal control,\ndetermining whether these internal controls had been placed in operation, assessing control risk, and\nperforming tests of controls. Our procedures were not designed to provide assurance on internal control\nover required supplementary stewardship information and, accordingly, we do not provide an opinion\nthereon.\nAs further required by OMB Bulletin No. 01-02, with respect to internal control related to performance\nmeasures determined by management to be key and reported in the management\xe2\x80\x99s discussion and analysis,\nwe obtained an understanding of the design of significant internal controls relating to the existence and\ncompleteness assertions. Our procedures were not designed to provide assurance on internal control over\nperformance measures and, accordingly, we do not provide an opinion thereon.\nAs part of obtaining reasonable assurance about whether the Service\xe2\x80\x99s fiscal year 2002 financial statements\nare free of material misstatement, we performed tests of the Service\xe2\x80\x99s compliance with certain provisions\nof laws and regulations, noncompliance with which could have a direct and material effect on the\ndetermination of financial statement amounts, and certain provisions of other laws and regulations\nspecified in OMB Bulletin No. 01-02, including certain provisions referred to in FFMIA. We limited our\ntests of compliance to the provisions described in the preceding sentence, and we did not test compliance\n\n                                                     18\n\x0cwith all laws and regulations applicable to the Service. Providing an opinion on compliance with laws and\nregulations was not an objective of our audit and, accordingly, we do not express such an opinion.\nUnder OMB Bulletin No. 01-02 and FFMIA, we are required to report whether the Service\xe2\x80\x99s financial\nmanagement systems substantially comply with (1) federal financial management systems requirements,\n(2) applicable federal accounting standards, and (3) the United States Government Standard General\nLedger at the transaction level. To meet this requirement, we performed tests of compliance with FFMIA\nSection 803(a) requirements.\n\nDistribution\nThis report is intended for the information and use of the United States Fish and Wildlife Service\nmanagement, Department of the Interior, Department of the Interior\xe2\x80\x99s Office of the Inspector General,\nOMB, and the U.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\n\n\nJanuary 10, 2003\n\n\n\n\n                                                   19\n\x0c                                                                                      Exhibit I\n\n\n                UNITED STATES FISH AND WILDLIFE SERVICE\n               Summary of the Status of Prior-Year Reportable Conditions\n                                   September 30, 2002\n\n\n\nReference              Condition Area                                      Status\n 2001-A     Financial Reporting                         This condition has not been corrected\n                                                        and is repeated in FY 2002.\n\n 2001-B     Capital Equipment                           This condition has not been corrected\n                                                        and is repeated in FY 2002.\n\n 2001-C     Buildings, Structures, and Construction     This condition has not been corrected\n            Work in Process                             and is repeated in FY 2002.\n\n 2001-D     Security and General Controls Over          This condition has not been corrected\n            Financial Management Systems                and is repeated in FY 2002.\n\n 2001-E     Aquatic Resource Trust Fund and             This condition has been corrected.\n            Sport Fish Restoration Account\n\n 2001-F     FFMIA \xe2\x80\x93 Financial Management                This instance of noncompliance has not\n            Systems Requirements                        been corrected and is repeated in FY\n                                                        2002.\n\n 2001-G     FFMIA \xe2\x80\x93 Federal Accounting                  This instance of noncompliance has not\n            Standards                                   been corrected and is repeated in FY\n                                                        2002.\n\n\n\n\n                                           20\n\x0c'